IQY Attachment Malspam Campaign

Antivirus platform Barkly published a report on a new malspam (malware spam) campaign spread via the Necurs botnet and targeting users by taking advantage of Microsoft Excel’s .iqy file type. When these files are opened, a connection is made to a website listed within the file and then pulls data from that website into an Excel spreadsheet. This data executes a PowerShell script that then installs the FlawedAmmyy remote access trojan, providing attackers with remote access to administrative functions on the infected device. This attack has evaded antivirus detection as its file content is not explicitly malicious. If Excel is configured to block external content, which is often the default, users will be prompted with a “Microsoft Excel Security Notice” when an .iqy file type is opened. Users are advised to select “disable” to prevent the malicious script from executing. Emails sent with this campaign include subject lines referencing unpaid invoices, scanned document attachments, or purchase orders and may come from an email address seemingly internal to your organization. The NJCCIC recommends all users and administrators review the Barkly report for more information on this malspam campaign and apply the recommendationsprovided, including preventing Excel from starting other applications or creating external connections,adjusting firewall settings and email filters to block .iqy files, or, if this file type is necessary for your operations, set the default option to open within Notepad where the malicious script will not run. Users should also refer to the NJCCIC’s General Cybersecurity BestPracticesguidefor tips to increaseemail security.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.